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(54) Voted processing system 



(57) A voted processing system (18) includes at 
least three processor groupings (20) coupled to a voter 
(22). Each processor grouping (20) includes a central 
processing unit (CPU) (24) and a support logic device 
(28). The CPUs (24) operate synchronously to execute 
an operating step every clock cycle. Each operating step 
of each CPU (24) is accomplished in parallel and sub- 
stantially simultaneously with each other. The support 
logic devices (28), such as memory controllers or bus 



interfaces, are coupled to the CPUs (24). The voter (22) 
is coupled to all of the processor groupings (20). The 
voter (22) uses redundant voting to detect errors in any 
one of the processor groupings (20). An error is detected 
if a minority of the processor groupings (20) disagrees 
with a majority of the processor groupings (20). When 
an error is detected, the majority of processor groupings 
(20) are considered the correct output while the remain- 
ing processor groupings (20) are reset (Fig. 2). 
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Description 
TECHNICAL FIELD 

[0001 ] The present invention relates generally to fault 
tolerant computer processors, and more particularly, to 
a voted processing system. 

BACKGROUND ART 

[0002] The natural radiation environment on Earth 
and in space can often cause short term and long term 
degradation of semiconductor devices used in comput- 
ers. This hazard is a problem for computers where fault- 
free operation is required. In addition to these radiation 
effects, computer chips are subject to random failures 
due to undetected defects and weaknesses that evolve 
over the course of time. Trace radioactive materials in 
semiconductor packages may also cause faults. 
[0003] When computers must operate for long peri- 
ods in a remote environment, or where these devices 
must operate without fault for long periods of time, the 
need forsystems that are protected from faults orfailure 
becomes critical. Remote or vulnerable environments 
include remote oil platforms, submarines, aircraft and 
isolated sites such as Antarctica. Systems that operate 
in Earth orbit and beyond are especially vulnerable to 
this radiation hazard. 

[0004] The presence of cosmic rays and particularly 
high-energy particles in space can produce a distur- 
bance called a single event effect (SEE) or a single 
event upset (SEU). The magnetic field of the Earth de- 
flects particles. The Earth's magnetic field also traps 
charged particles that travel from the Sun and other 
stars toward the Earth. Some particles that are not 
trapped by the Earth's magnetic field are steered by that 
field into our atmosphere near the poles. These particles 
can penetrate the electronic devices aboard satellites. 
[0005] When high-energy particles and gamma rays 
penetrate a semiconductor device, they deposit charge 
within the computer circuit and create transients and/or 
noise. This phenomenon can "upset" the memory cir- 
cuits. One type of upset occurs when a single bit of data 
stored in the chip's memory changes its value due to 
radiation. In this instance, a logical value of "one" can 
change to a logical value of "zero" and vice versa. An 
upset may be generally defined as a misstated output 
of a component. This output may comprise one or more 
signal bits. 

[0006] The upset rate of a component depends on the 
construction features of the chip, including its size, op- 
erating voltage, temperature and internal circuit design. 
The upset rate for a particular part can vary from ten per 
day for a commercial one-megabit random access 
memory chip (RAM), to 1 every 2800 years for a radia- 
tion-hardened one megabit RAM. A radiation-hardened 
component is a device that has been specially designed 
and built to resist the hazards of radiation. These devic- 



es, however, tend to be much more expensive and slow- 
er than conventional chips. They typically lag the state- 
of-the-art by several years. 

[0007] A solution to this problem is presented in U.S. 

5 Patent No. 5,903,717, which discloses a fault tolerant 
computer system. This approach describes a fault tol- 
erant computer system in which four RISC CPUs are 
directly attached to voting logic and are operated in lock- 
step. Such an approach protects the CPUs from the ef- 

10 fects of ionizing radiation in space, but it does not protect 
the peripheral logic (e.g., the Memory Interface and the 
Bus Interface). 

[0008] The development of a fault tolerant computer 
based on commercially available parts for use in military 

15 and commercial space vehicles would offer significant 
operational and cost advantages: Such an invention 
would offer higher levels of performance and would cost 
less to manufacture than existing approaches based on 
radiation hardened chips. The invention could be used 

20 for remotely installed computer systems and other proc- 
essors that are subjected to random failures or to a ra- 
diation environment which produces single event upsets 
at un acceptably high rates. Such radiation upset protec- 
tion would discover and correct errors. It would be ex- 

25 tremety beneficial if a fault tolerance method could be 
applied not only at the CPU level, but also at the periph- 
eral logic level. Such a system would fill a long felt need 
in specialized computer and satellite industries. 



[0009] It is, therefore, an object of the invention to pro- 
vide an improved and reliable voted processing system. 
Another object of the invention is to harden the periph- 
35 eral logic of a processing system against radiation. 
[0010] In one embodiment of the invention, a voted 
processing system includes at least three processor 
groupings coupled to a voter. Each processor grouping 
includes a central processing unit (CPU) and a support 
40 logic device. The CPUs operate synchronously to exe- 
cute an operating step every clock cycle. Each operating 
step of each CPU is accomplished in parallel and sub- 
stantially simultaneously with each other. The support 
logic devices, such as memory controllers or bus inter- 
ns faces, are coupled to the CPUs. The voter is coupled to 
all of the processor groupings. The voter uses redun- 
dant voting to detect errors in any one of the processor 
groupings. An error is detected if a minority of the proc- 
essor groupings disagrees with a majority of the proc- 
50 essor groupings. When an error is detected, the majority 
of processor groupings are considered the correct out- 
put while the remaining processor groupings are reset. 
[0011] The present invention thus achieves an im- 
proved voted processing system. The present invention 
55 is advantageous in that it allows the use of commercial, 
non-radiation hardened components to be used with in 
a fault sensitive system. 

[0012] Additional advantages and features of the 
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present invention will become apparent from the de- 
scription that follows, and may be realized by means of 
the instrumentalities and combinations particularly 
pointed out in the appended claims, taken in conjunction 
with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0013] In order that the invention may be well under- 
stood, there will now be described some embodiments 
thereof, given byway of example, reference being made 
to the accompanying drawings, in which: 

FIGURE 1 depicts a satellite system in which a vot- 
ed processing circuit in accordance with the present 
invention may be utilized; and 

FIGURE 2 schematically illustrates a voted 
processing circuit in accordance with one embodi- 
ment of the present invention. 

BEST MODES FOR CARRYING OUT THE 
INVENTION 

[0014] Referring to FIGURE 1 , a satellite system 10 
in which a voted processing circuit in accordance with 
the present invention might be utilized is illustrated. The 
satellite system 1 0 is comprised of one or more satellites 
12 in communication with a ground station 14 located 
on the Earth 16. Each satellite 12 contains one or more 
voted processing circuits 18. 

[0015] The satellite system 10 is responsible for in- 
suring correct processor operation while being subject- 
ed to radiation. Integrated circuits used in computers 
and other electronic systems aboard space vehicles are 
susceptible to a phenomenon known as Single Event 
Upset, or SEU. Single Event Upset occurs when radia- 
tion passing through an integrated circuit deposits stray 
charges in the device, causing one of its registers to be 
disrupted. Several fault protection techniques can be 
utilized to reduce the number of SEU's that occur in the 
integrated circuits used aboard space vehicles, but 
these conventional techniques have several disadvan- 
tages. 

[0016] Referringto FIGURE 2, a schematic of a voted 
processing circuit 18 in accordance with one embodi- 
ment of the present invention is illustrated. Voted 
processing circuit 18 includes three or more processor 
groupings 20 coupled to a voter 22. Each processor 
grouping 20 includes a central processing unit 24 and a 
support logic device 28 and has a plurality of processor 
grouping inputs and outputs. In one preferred embodi- 
ment of the present invention, three processor group- 
ings 20 are used, however, one skilled in the are would 
recognize that any number of processor groupings 
greater then three may be used. 
[0017] A voted processing circuit 18 includes three 
processor groupings 20 and three CPUs 24. One CPU 



corresponding to each processor grouping 20 is re- 
quired. Each CPU 24 receives a clock signal 26 and ex- 
ecutes an operating step during a clock cycle of clock 
signal 26. Each CPU 24 operates synchronously, each 

5 operating step of each CPU 24 being accomplished in 
parallel and substantially simultaneously with each oth- 
er CPU 24 for each clock cycle. Each CPU 24 includes 
a plurality of CPU inputs coupled to support logic device 
28 through line 30 and a plurality of CPU outputs cou- 

io pled to support logic device 28 through line 32. 

[0018] In a voted processing circuit 18 containing 
three processor groupings 20, three support logic devic- 
es 28, one corresponding to each processor grouping 
20, are required. One skilled in the art would recognize 

15 that support logic device 28 may include any type of pe- 
ripheral or bus support logic component. These corhpo- 
nents may include a memory system, a memory control- 
ler, a system memory, or a bus interface controller. Each 
support logic device 28 includes a plurality of support 

20 logic device inputs coupled to CPU 24 through line 32 
and a system bus 34 through line 36. Each support logic 
device also includes a plurality of support logic device 
outputs coupled to CPU 24 through line 30 and voter 22 
through line 38. 

25 [0019] Voter 22 is coupled to each processor grouping 
20 through line 38 and is responsible for detecting out- 
put errors and resetting each processor grouping 20. 
Voter 22 uses redundant voting of the processor group- 
ing outputs. An error is detected if a minority of the proc- 

30 essor grouping outputs disagrees with a majority of the 
processor grouping outputs. In the present example, 
when three processor groups 20 are used, one is a mi- 
nority. Each processor grouping output is compared one 
with another by voter 22 each clock cycle. Each voter 

35 22 includes a plurality of voter inputs coupled to support 
logic device 28 through line 38 and a plurality of voter 
outputs coupled to system bus 34 through line 44. 
[0020] When voted processing circuit 18 is reset 
through reset input 42, all of the CPUs 24 and all of the 

40 support logic devices 28 are set substantially to the 
same state. When voted processing circuit 1 8 starts run- 
ning, each individual processor grouping 20 runs in lock 
step with all the other processor groupings 20. Typically, 
all processor groupings 20 will agree on any outputs that 

45 they generate (this is the non-fault state of voted 
processing circuit 18). In the event that one processor 
grouping 20 generates a signal that is in disagreement 
with the other signals, voter 22 initiates a recovery proc- 
ess. 

so [0021] In the recovery process, the processor group- 
ing 20 with the error is immediately reset through line 
40. This puts it back into a known state. The remaining 
processor groupings are interrupted by voter 22 indicat- 
ing that a fault has occurred. When interrupted, the re- 

55 maining processor groupings 20 start saving any vital 
state information into main system memory. Upon com- 
pletion of this interrupt process, the fault detection logic 
resets all processor groupings 20 through line 40, 
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whereupon they start executing code again from a state 
defined operating step with minimal disruption. 
[0022] Typically, when a processor grouping error oc- 
curs, the present invention will successfully save vital 
information, resynchronize the processor groupings 20 
and resume normal execution of code. However, this is 
not always the case. It is possible for upsets to occur 
while voted processing circuit 20 is attempting to recov- 
er from a previous error. While the recovery interrupt is 
being processed, voter 22 continues to monitor the out- 
puts of the, remaining processor groupings 20. Should 
voter 22 detect further disagreements such that a ma- 
jority of the remaining processor groupings 20 are not 
known to be in complete agreement, it will declare a fatal 
error and immediately reset all processor groupings 20 
through line 40. Once processor groupings 20 have all 
been reset, voted processing circuit 1 8 will start execut- 
ing code from a hardware defined operating step. 
[0023] The present invention thus achieves an im- 
proved system for preventing single event upset in- 
duced errors by incorporating the processor support log- 
ic before voter 20. While voter logic is susceptible to 
SEU induced errors, the number of transistors involved 
in the voter logic is far smaller than the number of pe- 
ripheral logic transistors. Therefore, system exposure to 
SEUs is greatly reduced and consequent system relia- 
bility is increased. Without the invention, satellite system 
1 0 will require ground intervention about once every thir- 
ty years. The majority of this is due to errors in processor 
support logic. With the present invention, satellite sys- 
tem 1 0 will require ground intervention about once every 
one hundred twenty years, resulting in a four-fold im- 
provement. 

[0024] From the foregoing, it can be seen that there 
has been brought to the art a new and improved voted 
processing system. It is to be understood that the pre- 
ceding description of the preferred embodiment is mere- 
ly illustrative of some of the many specific embodiments 
that represent applications of the principles of the 
present invention. Clearly, numerous and other arrange- 
ments would be evident to those skilled in the art without 
departing from the scope of the invention as defined by 
the following claims: 



Claims 

1 . A voted processing circuit (1 8) characterized by: 

at least three processor groupings (20) each of 
said at least three processor groupings (20) 
having a plurality of processor grouping inputs 
(36) and a plurality of processor grouping out- 
puts (38), said at least three processor group- 
ings (20) comprising: 

at least three central processing units 
(CPUs) (24), each CPU (24) corresponding to 
one of said at least three processor groupings 



(20), each of said at least three CPUs (24) hav- 
ing an operating step executed during a clock 
cycle, said at least three CPUs (24) operating 
synchronously, each operating step of each 

5 CPU (24) being accomplished in parallel and 

substantially simultaneously with each of the 
other of the at least three CPUs (24) each clock 
cycle, each of said at least three CPUs (24) 
having a plurality of CPU inputs (30) and a plu- 

10 rality of CPU outputs (32); and 

at least three support logic devices (28), each 
support logic device (28) coupled to said plu- 
rality of CPU inputs (30) and said plurality of 
is CPU outputs (32) of one of said at least three 

CPUs (24), each of said at least three support 
logic devices (28) having a plurality of support 
logic device inputs (32) coupled to said plurality 
of CPU outputs (32) and a plurality of support 
20 logic device outputs (30) coupled to said plural- 

ity of CPU inputs (30); and 

a voter (22) coupled to said plurality of proces- 
sor grouping outputs (38), said voter (22) using 
25 redundant voting of said plurality of processor 

grouping outputs (38) to detect errors in any 
one of said plurality of processor grouping out- 
puts (38), whereby an error is detected if one 
of said processor grouping outputs (38) disa- 
30 grees with a majority of said plurality of proces- 

sor grouping outputs (38) of said at least three 
processor groups (20), each of said plurality of 
processor grouping outputs (38) being com- 
pared one with another by said voter (22) each 
35 said clock cycle, said voter having a plurality of 

voter outputs (44). 

2. The circuit of claim 1, characterized in that said 
voter (22) resets each of said at least three proces- 

40 sor groups (20) during a fatal error, whereby said at 
least three processor groups (20) restart at a hard- 
ware defined operating step after being reset. 

3. The circuit of claim 2, characterized in that said 
45 voter (22) interrupts said at least three processor 

groups (20) when one of said processor groups (20) 
has an error, whereby each of said at least three 
processor groups (20) without an error stores state 
information and said voter (22) resets said proces- 
so sor group (20) with an error, said voter (22) resetting 
said at least three processor groups (20) after said 
state information is stored to restart said at least 
three processor groups (20) at a state defined op- 
erating step. 

55 

4. The circuit of claim 2, characterized in that said 
voter (22) interrupts said at least three processor 
groups (20) when a minority of said processor 
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groups (20) has an error, whereby each of said at 
least three processor groups (20) without an error 
stores state information and said voter (22) resets 
said minority of processor groups (20) with an error, 
said voter (22) resetting said at least three proces- s 
sor groups (20) after said state information is stored 
to restart said at least three processor groups (20) 
at a state defined operating step. 

5. The circuit of any of claims 2-4, characterized in 10 
that said voter (22) includes a reset input (42), 
whereby said voter (22) resets said at least three 
processor groups (20) when said reset input (42) is 
activated. 

15 

6. The circuit of any of claims 1-5, characterized in 
that each of said at least three support logic devices 
(28) includes a memory system. 

7. The circuit of claim 6, characterized in that said 20 
memory system includes a memory controller cou- 
pled to a system memory, said memory controller 
coupled to each of said at least three CPUs (24). 

8. The circuit of any of claims 1-7, characterized by 25 
a system bus (34) coupled to each of said plurality 

of processor grouping inputs (36) and said plurality 
of voter outputs (44). 

9. The circuit of claim 8, characterized in that each 30 
of said at least three support logic devices (28) in- 
cludes a bus interface controller coupled to said 
system bus (34). 

1 0. A satellite system (1 0) comprising: 35 

a ground station (14); 

a satellite (12) in orbit and in communication 
with said ground station (1 4), said satellite (12) 40 
having a voted processing circuit (18) accord- 
ing to any of claims 1 -9, wherein 

a system bus (34) is coupled to each of said 
plurality of processor grouping inputs (36) and 45 
said plurality of voter outputs (44). 
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